How to setup LDAP logon for Tintri VMstore
Tintri just released version 3.0 of the Tintri OS this week. As part of this upgrade the ability to use LDAP/AD for role based access controls (RBAC) is a long awaited feature. I was happy to see this and some other features that I will be writing about separately. In previous versions of Tintri OS there was only a single Admin account that had full access and all users were required to use. The new LDAP option will offer greater flexibility for larger teams that have multiple levels of administrators.
I will walk through the steps on connecting a Tintri VMstore to Active Directory and the enablement of an AD group for admin access.
Tintri LDAP Setup
Step 1: To get the process started log into the Tintri management web page and click on the settings menu from the top right corner.
Step 2: Click on the Directory Services choice from the left menu tree. You will then see the option to enable AD or LDAP for directory services. For this setup I will be configuring AD.
Step 3: Now that I have clicked the AD radio button, the fields to provide my information have appeared. Sample naming conventions are shown and further details are presented if you hover your mouse cursor over the field.
Step 4: I have now entered the Domain name details and provided an account that can be used to lookup groups in the domain. There are two methods for finding the domain controllers. I am using the auto discover method, you can also explicitly provide them in a coma separated format.
Step 5: I have now saved my configuration details and now I have clicked on the Verify saved domain join option. This will ensure that your settings allow the VMstore to connect to the domain. If the test passes you will be ready to enable AD groups for access.
Step 6: To start to setup groups for access you need to choose Management Access form the left menu of the settings menu. From here you first need to enable directory services.
Step 7: In the same Management access section we are now able to click the green plus under External groups to configure an AD group.
Step 8: In this step I have clicked on the drop down menu that is now available for this line item that is being created. This shows the Security Groups that are Global in the domain that was configured. Choose the group that you want to enable.
Note: You will not be able to select Security Groups that are Domain Local, I also was not able to select groups from the other domain that is configured as a two-trust for the AD domain that was linked to the VMstore. These both present issues when trying to enable users from a trusted domain for access. I have put in a ticket with Tintri to see if this was planned or something that might be fixed.
Step 9: Now that we have selected a Group for access, the next step is to click on the Role column. This will present options to choose the permission or role access that this group will be configured with.
- Read Only: Can view storage management attributes, but not modify anything.
- Storage Admin: Able to perform storage management tasks, but cannot view or manipulate appliance security attributes.
- Super Admin: Able to perform any management task within the Tintri appliance. The existing (historical) Admin local user is a member of this group.
This completes all the steps necessary to enable AD/LDAP groups to access the Tintri management interface. There are likely multiple groups that will need access and different role levels, complete the steps for each group that you wish to configure. I will update the details on the group access for AD once I work with Tintri support.
About Brian Suhr
Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design